D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green et al., Imperfect forward secrecy: How Diffie-Hellman fails in practice, ACM SIGSAC Conference on Computer and Communications Security (CCS), pp.5-17, 2015.
URL : https://hal.archives-ouvertes.fr/hal-01982426

M. R. Albrecht and K. G. Paterson, Lucky microseconds: A timing attack on Amazon's S2N implementation of TLS, EUROCRYPT, pp.622-643, 2016.

N. Alfardan, D. J. Bernstein, K. G. Paterson, B. Poettering, and J. C. Schuldt, On the security of RC4 in TLS, USENIX Security Symposium, pp.305-320, 2013.

N. J. Alfardan and K. G. Paterson, Lucky thirteen: Breaking the TLS and DTLS record protocols, 2013 IEEE Symposium on Security and Privacy (SP 2013, pp.526-540, 2013.

J. B. Almeida, M. Barbosa, G. Barthe, and F. Dupressoir, Verifiable Side-Channel Security of Cryptographic Implementations: ConstantTime MEE-CBC, Fast Software Encryption (FSE), pp.163-184, 2016.

M. Avalle, A. Pironti, R. Sisto, and D. Pozza, The Java SPI framework for security protocol implementation, Availability, Reliability and Security, pp.746-751, 2011.

N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel et al., DROWN: breaking TLS using SSLv2, USENIX Security Symposium, pp.689-706, 2016.

G. Barthe, F. Dupressoir, B. Grégoire, C. Kunz, B. Schmidt et al., EasyCrypt: A tutorial, Foundations of Security Analysis and Design VII (FOSAD), ser. Lecture Notes in Computer Science, vol.8604, pp.146-166, 2014.
URL : https://hal.archives-ouvertes.fr/hal-01114366

M. Bellare, New proofs for NMAC and HMAC: Security without collision-resistance, Advances in Cryptology (CRYPTO), pp.602-619, 2006.

M. Bellare, J. Kilian, and P. Rogaway, The security of the cipher block chaining message authentication code, Journal of Computer and System Sciences, vol.61, issue.3, pp.362-399, 2000.

M. Bellare and C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, Advances in Cryptology-ASIACRYPT'00, pp.531-545, 2000.

B. Beurdouche, K. Bhargavan, A. Delignat-lavaud, C. Fournet, M. Kohlweiss et al., A messy state of the union: taming the composite state machines of TLS, IEEE Symposium on Security & Privacy (Oakland), 2015.
URL : https://hal.archives-ouvertes.fr/hal-01114250

K. Bhargavan, B. Blanchet, and N. Kobeissi, Verified models and reference implementations for the TLS 1.3 standard candidate, Inria, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01575920

K. Bhargavan, C. Brzuska, C. Fournet, M. Green, M. Kohlweiss et al., Downgrade resilience in key-exchange protocols, IEEE Symposium on Security and Privacy, pp.506-525, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01425962

K. Bhargavan, A. Delignat-lavaud, C. Fournet, A. Pironti, and P. Y. Strub, Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS, IEEE Symposium on Security & Privacy (Oakland), pp.98-113, 2014.
DOI : 10.1109/sp.2014.14
URL : https://hal.archives-ouvertes.fr/hal-01102259

K. Bhargavan, A. Delignat-lavaud, and S. Maffeis, Language-based defenses against untrusted browser origins, USENIX Security Symposium, pp.653-670, 2013.
URL : https://hal.archives-ouvertes.fr/hal-00863372

K. Bhargavan, A. Delignat-lavaud, and A. Pironti, Verified contributive channel bindings for compound authentication, Network and Distributed System Security Symposium (NDSS '15), 2015.
URL : https://hal.archives-ouvertes.fr/hal-01114248

K. Bhargavan, C. Fournet, R. Corin, and E. , Verified cryptographic implementations for TLS, ACM TOPLAS, vol.15, issue.1, p.32, 2012.
URL : https://hal.archives-ouvertes.fr/hal-00863381

K. Bhargavan, C. Fournet, and A. D. Gordon, Modular verification of security protocol code by typing, ACM Symposium on Principles of Programming Languages (POPL), pp.445-456, 2010.

K. Bhargavan, C. Fournet, A. D. Gordon, and S. Tse, Verified interoperable implementations of security protocols, ACM Transactions on Programming Languages and Systems, vol.31, issue.1, 2008.

K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P. Strub, Implementing TLS with verified cryptographic security, IEEE Symposium on Security & Privacy (Oakland), 2013.
URL : https://hal.archives-ouvertes.fr/hal-00863373

K. Bhargavan and G. Leurent, On the practical (in-)security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN, ACM SIGSAC Conference on Computer and Communications Security (CCS), pp.456-467, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01404208

, Transcript collision attacks: Breaking authentication in TLS, IKE, and SSH, ISOC Network and Distributed System Security Symposium (NDSS), 2016.

B. Blanchet, A computationally sound mechanized prover for security protocols, IEEE Transactions on Dependable and Secure Computing, vol.5, issue.4, pp.193-207, 2008.

, Automatic verification of correspondences for security protocols, Journal of Computer Security, vol.17, issue.4, pp.363-434, 2009.

, Security protocol verification: Symbolic and computational models, Principles of Security and Trust, pp.3-29, 2012.

, Modeling and verifying security protocols with the applied pi calculus and ProVerif, Foundations and Trends in Privacy and Security, vol.1, issue.1-2, pp.1-135, 2016.

D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS# 1, Annual International Cryptology Conference, ser, vol.1462, pp.1-12, 1998.

M. Bodin, A. Charguéraud, D. Filaretti, P. Gardner, S. Maffeis et al., A trusted mechanised javascript specification, ACM Symposium on the Principles of Programming Languages, pp.87-100, 2014.
URL : https://hal.archives-ouvertes.fr/hal-00910135

D. Cadé and B. Blanchet, Proved generation of implementations from computationally secure protocol specifications, Journal of Computer Security, vol.23, issue.3, pp.331-402, 2015.

S. Chaki and A. Datta, Aspier: An automated framework for verifying security protocol implementations, 2009 22nd IEEE Computer Security Foundations Symposium, pp.172-185, 2009.

A. Chaudhuri, Flow: Abstract interpretation of javascript for type checking and beyond, ACM Workshop on Programming Languages and Analysis for Security (PLAS), 2016.

J. Coron, Y. Dodis, C. Malinaud, and P. Puniya, Merkle-Damgård revisited: How to construct a hash function, Advances in Cryptology (CRYPTO), pp.430-448, 2005.

V. Cortier, S. Kremer, and B. Warinschi, A survey of symbolic methods in computational analysis of cryptographic systems, Journal of Automated Reasoning, vol.46, issue.3-4, pp.225-259, 2011.
URL : https://hal.archives-ouvertes.fr/inria-00379776

C. Cremers, M. Horvat, S. Scott, and T. Van-der-merwe, Automated analysis and verification of TLS 1.3: 0-RTT, resumption and delayed authentication, IEEE Symposium on Security and Privacy, pp.470-485, 2016.

I. B. Damgård, A design principle for hash functions, Advances in Cryptology-CRYPTO89, pp.416-427, 1989.

T. Dierks and E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.2, IETF RFC, vol.5246, 2008.

Y. Dodis, T. Ristenpart, J. Steinberger, and S. Tessaro, To hash or not to hash again? (In)differentiability results for H 2 and HMAC, Advances in Cryptology (Crypto), pp.348-366, 2012.

D. Dolev and A. C. Yao, On the security of public key protocols, IEEE Transactions on Information Theory, vol.29, issue.2, pp.198-207, 1983.

B. Dowling, M. Fischlin, F. Günther, and D. Stebila, A cryptographic analysis of the TLS 1.3 handshake protocol candidates, ACM Conference on Computer and Communications Security (CCS), pp.1197-1210, 2015.

M. Fischlin, F. Günther, B. Schmidt, and B. Warinschi, Key confirmation in key exchange: A formal treatment and implications for TLS 1.3, IEEE Symposium on Security and Privacy, pp.452-469, 2016.

M. Fischlin and F. Günther, Multi-stage key exchange and the case of Google's QUIC protocol, ACM SIGSAC Conference on Computer and Communications Security (CCS), pp.1193-1204, 2014.

S. Goldwasser, S. Micali, and R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks, SIAM Journal of Computing, vol.17, issue.2, pp.281-308, 1988.

R. Hamilton, J. Iyengar, I. Swett, and A. Wilk, QUIC: A UDP-based multiplexed and secure transport, 2016.

K. E. Hickman, The SSL protocol, IETF Internet Draft, 1995.

T. Jager, F. Kohlar, S. Schäge, and J. Schwenk, On the security of TLS-DHE in the standard model, CRYPTO 2012, pp.273-293, 2012.

T. Jager, J. Schwenk, and J. Somorovsky, On the security of TLS 1.3 and QUIC against weaknesses in PKCS#1 v1.5 encryption, ACM SIGSAC Conference on Computer and Communications Security (CCS), pp.1185-1196, 2015.

N. Kobeissi, K. Bhargavan, and B. Blanchet, Automated verification for secure messaging protocols and their implementations: A symbolic and computational approach, IEEE European Symposium on Security and Privacy, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01575923

H. Krawczyk, Cryptographic extraction and key derivation: The HKDF scheme, Advances in Cryptology (CRYPTO), pp.631-648, 2010.

, A unilateral-to-mutual authentication compiler for key exchange (with applications to client authentication in tls 1.3), ACM SIGSAC Conference on Computer and Communications Security (CCS), pp.1438-1450, 2016.

H. Krawczyk, K. G. Paterson, and H. Wee, On the security of the TLS protocol: A systematic analysis, CRYPTO 2013, pp.429-448, 2013.

H. Krawczyk and H. Wee, The OPTLS protocol and TLS 1.3, IEEE European Symposium on Security & Privacy (Euro S&P), 0978.
URL : https://hal.archives-ouvertes.fr/hal-01378195

R. Küsters, T. Truderung, and J. Graf, A framework for the cryptographic verification of Java-like programs, IEEE Computer Security Foundations Symposium (CSF), pp.198-212, 2012.

A. Langley, M. Hamburg, and S. Turner, Elliptic curves for security, IRTF RFC, vol.7748, 2016.

X. Li, J. Xu, Z. Zhang, D. Feng, and H. Hu, Multiple handshakes security of TLS 1.3 candidates, IEEE Symposium on Security and Privacy, pp.486-505, 2016.

R. Lychev, S. Jero, A. Boldyreva, and C. Nita-rotaru, How secure and quick is QUIC? provable security and performance analyses, IEEE Symposium on Security & Privacy (Oakland), pp.214-231, 2015.

U. Maurer and B. Tackmann, On the soundness of authenticate-thenencrypt: formalizing the malleability of symmetric encryption, ACM SIGSAC Conference on Computer and Communications Security (CCS), pp.505-515, 2010.

N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel, A cross-protocol attack on the TLS protocol, ACM CCS, 2012.

C. Meyer, J. Somorovsky, E. Weiss, J. Schwenk, S. Schinzel et al., Revisiting SSL/TLS implementations: New Bleichenbacher side channels and attacks, 23rd USENIX Security Symposium. USENIX Association, pp.733-748, 2014.

B. Möller, T. Duong, and K. Kotowicz, This POODLE bites: exploiting the SSL 3.0 fallback, 2014.

T. Okamoto and D. Pointcheval, The gap-problems: a new class of problems for the security of cryptographic schemes, Practice and Theory in Public Key Cryptography (PKC), pp.104-118, 2001.

K. G. Paterson, T. Ristenpart, and T. Shrimpton, Tag size does matter: Attacks and proofs for the TLS record protocol, ASIACRYPT, pp.372-389, 2011.

K. G. Paterson and T. Van-der-merwe, Reactive and proactive standardisation of TLS, Security Standardisation Research (SSR), pp.160-186, 2016.

M. Ray, A. Pironti, A. Langley, K. Bhargavan, and A. Delignatlavaud, Transport Layer Security (TLS) session hash and extended master secret extension, 2015.

E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, TLS renegotiation indication extension, IETF RFC, vol.5746, 2010.

E. Rescorla, ;. Rtt, and A. , , 2015.

, TLS] PR#875: Additional Derive-Secret stage, 2017.

B. Schmidt, S. Meier, C. Cremers, and D. Basin, Automated analysis of Diffie-Hellman protocols and advanced security properties, IEEE Computer Security Foundations Symposium (CSF), pp.78-94, 2012.

D. Stefan, Espectro project description, 2016.

N. Swamy, C. Hrit¸cuhrit¸cu, C. Keller, A. Rastogi, A. Delignat-lavaud et al., Dependent types and multi-monadic effects in F*, ACM Symposium on Principles of Programming Languages, pp.256-270, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01265793

M. Vanhoef and F. Piessens, All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS, USENIX Security Symposium, pp.97-112, 2015.

D. Wagner and B. Schneier, Analysis of the SSL 3.0 protocol, USENIX Electronic Commerce, 1996.

J. K. Zinzindohoue, E. Bartzia, and K. Bhargavan, A verified extensible library of elliptic curves, IEEE Computer Security Foundations Symposium (CSF), pp.296-309, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01425957

A. Schedule, We show the following properties: ? mac k H (m) = mac k (H(m)) is an SUF-CMA (strongly unforgeable under chosen message attacks) MAC. Indeed, since mac = HMAC-H is a PRF, it is an SUF-CMA MAC as shown in [10], and this property is preserved by composition with a collision-resistant hash function. ? sign sk H (m) = sign sk (H(m)) is an UF-CMA signature. Indeed, sign is an UF-CMA signature, and this property is preserved by composition with a collision-resistant hash function

, e) and log 1 ? derive-secret(es, ets c , log 1 ) are indistinguishable from independent random functions, and k b = derive-secret(es, pbk, are indistinguishable from independent fresh random values independent from these random functions

, log 1 )derive-secret(hs, hts s , log 1 ) is indistinguishable from a random function and hkdf-extract(hs, 0 len H() ) is indistinguishable from a fresh random value independent from this random function. ? When ms is a fresh random value, the functions log 4 ? derive-secret(ms, ats c , log 4 )derive-secret(ms, ats s , log 4 )derive-secret(ms, ems, log 4 ) and log 7 ? derive-secret(ms, rms, ? When hs is a fresh random value, log 1 ? derive-secret(hs, hts c

, ? When l 1 , l 2 , l 3 are pairwise distinct labels and s is a fresh random value, hkdf-expand-label(s, l i, vol.2, p.3